Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improvement on "Analyzing function arguments at cross references" #4

Closed
gipi opened this issue Jun 12, 2022 · 3 comments
Closed

Improvement on "Analyzing function arguments at cross references" #4

gipi opened this issue Jun 12, 2022 · 3 comments

Comments

@gipi
Copy link

gipi commented Jun 12, 2022

In the snippet regarding the extraction of arguments, if I'm understanding the code correctly, is iterating through all the instructions until it reaches a CALL and then check again that the address is the one we are interested in, but it's possible to ask for the opcode directly from an address passing it as an argument to getPcodeOps()

From the help:

>>> help(high_func.getPcodeOps)
Searching API for ghidra.program.model.pcode.HighFunction.getPcodeOps()...
Searching API for ghidra.program.model.pcode.PcodeSyntaxTree.getPcodeOps()...
-----------------------------------------------------
Iterator getPcodeOps()
  return all PcodeOps (alive or dead) ordered by SequenceNumber

  @return java.util.Iterator<ghidra.program.model.pcode.PcodeOpAST>: -- Iterator to PcodeOps

-----------------------------------------------------
-----------------------------------------------------
Iterator getPcodeOps(Address addr)
  return all PcodeOps associated with a particular instruction Address

  @param addr (ghidra.program.model.address.Address): -- Address of instruction generating PcodeOps
  @return java.util.Iterator<ghidra.program.model.pcode.PcodeOpAST>: -- Iterator to PcodeOps

-----------------------------------------------------

From a terminal session

>>> from ghidra.app.decompiler import DecompileOptions
>>> from ghidra.app.decompiler import DecompInterface
>>> from ghidra.util.task import ConsoleTaskMonitor
>>> monitor = ConsoleTaskMonitor()
>>> ifc = DecompInterface()
>>> options = DecompileOptions()
>>> ifc.setOptions(options)
True
>>> ifc.openProgram(currentProgram)
True
>>> func = getFunctionContaining(currentAddress)
>>> func
KeyboardBridgeServer::connectedChanged
>>> res = ifc.decompileFunction(func, 60, monitor)
>>> res
ghidra.app.decompiler.DecompileResults@46c33206
>>> high_func = res.getHighFunction()
>>> high_func.getPcodeOps(toAddr(0x00c8d64))
java.util.AbstractMap$2$1@4511ac6b
>>> pcodeops = high_func.getPcodeOps(toAddr(0x00c8d64))
>>> op = pcodeops.next()
>>> op
 ---  CALL (ram, 0x3b0e0, 8) , (unique, 0x10000009, 4) , (unique, 0x1000000d, 4) , (const, 0x0, 4) , (const, 0x0, 4)
>>> op.getInputs()
array(ghidra.program.model.pcode.Varnode, [(ram, 0x3b0e0, 8), (unique, 0x10000009, 4), (unique, 0x1000000d, 4), (const, 0x0, 4), (cons

In this way you can avoid a lot of overhead.
@cetfor
Copy link
Collaborator

cetfor commented Jun 12, 2022

Awesome thank you for submitting this! I'll update the snippet or add an additional snippet tonight with credit to you.

@gipi
Copy link
Author

gipi commented Jun 12, 2022

perfect!

cetfor pushed a commit that referenced this issue Jun 13, 2022
Adding suggestion from issue #4, thanks gipi
f891442
@cetfor
Copy link
Collaborator

cetfor commented Jun 13, 2022

I've added your code. Thanks again :)
f891442

@cetfor cetfor closed this as completed Jun 13, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@gipi @cetfor